Search Exploit

TP-Link WR940N Remote Code Execution

Numerous remote code execution paths were discovered in TP-Link's WR940N home WiFi router. Valid credentials are required for this attack path. It is possible for an authenticated attacker to obtain a remote shell with root privileges.

Numerous remote code execution paths were discovered in TP-Link'sWR940N home WiFi router. Valid credentials are required for thisattack path. It is possible for an authenticated attacker to obtain aremote shell with root privileges.

** Details

There were multiple occurrences of strcpy being used in an unsafemanner, resulting in a trivial buffer overflow condition. It is alsopossible to cause a Denial of Service on the web service.

Using the aDiagnostica page, an attacker could utilise the built inapinga feature of the router to cause either; a Denial of Serviceattack to crash the web server or exploit a buffer overflow conditionto obtain a remote root shell.

** Vendor Response

TP-Link have released a new version of the firmware thus mitigatingexploitation of this issue.

** Report Timeline

* Disclosed to vendor a 11/8/2017* Response from vendor, request for initial advisory a 14/8/2017* Initial advisory sent a 14/8/2017* Beta patch sent for testing by vendor a 17/8/2017* Patch confirmed to work, however other vulnerable locations wereidentified, a second exploit was written to demonstrate this. Sent tovendor a 17/8/2017* Response by vendor, will look into the other vulnerable locations a 18/8/2017* Second patch sent for testing by vendor a 25/8/17* Patch confirmed to mitigate vulnerabilities (500+ calls to strcpyremoved) a 29/8/2017* Patch released a 28/9/2017 (Only HW V5 US)

** Credit

This vulnerability was discovered by Tim Carrington, part of the FidusInformation Security research team.

This advisory is licensed under a Creative Commons Attribution Non-CommercialShare-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/

Proof of concept:

import urllib2import base64import hashlibfrom optparse import *import sysimport urllibbanner = ("___________________________________________________________________________\n""WR940N Authenticated Remote Code Exploit\n""This exploit will open a bind shell on the remote target\n""The port is 31337, you can change that in the code if you wish\n""This exploit requires authentication, if you know the creds, then\n""use the -u -p options, otherwise default is admin:admin\n""___________________________________________________________________________")